Bug #61046 [Opn]: Segfault when memory limit is hit while copying hash table
Edit report at https://bugs.php.net/bug.php?id=61046&edit=1 ID: 61046 Updated by: ras...@php.net Reported by:ni...@php.net Summary:Segfault when memory limit is hit while copying hash table Status: Open Type: Bug Package:Reproducible crash PHP Version:5.4.0RC7 Block user comment: N Private report: N New Comment: Same here. Reproducable on 64-bit Linux with memory_limit set to "512k". The segfault is here: zend_mm_remove_from_free_list (heap=0xf71730, mm_block=0x77fae1c8) at /home/rasmus/php-src/branches/PHP_5_4/Zend/zend_alloc.c:805 805 ZEND_MM_CHECK_TREE(mm_block); (gdb) p *mm_block $2 = {info = {_size = 16400, _prev = 57}, prev_free_block = 0x77fae1c8, next_free_block = 0x77fae1c8, parent = 0x0, child = {0x0, 0x0}} Note that parent is NULL there and ZEND_MM_CHECK_TREE tries to dereference *parent Previous Comments: [2012-02-10 17:46:09] jpa...@php.net Notice that I only reproduce with memory_limit set to accurate 512k , not 500k as in bug text, nor even 511k [2012-02-10 17:34:21] jpa...@php.net What I can say : - I dont reproduce on 5.3.10 - For 5.4, disabling ZendMM with USE_ZEND_ALLOC=0 makes the segfault disappear - For 5.4, changing the ZendMM segment size with ZEND_MM_SEG_SIZE={val} makes the segfault disappear, I havent tested all the possible values for SEG_SIZE. As a reminder, ZendMM default SEG_SIZE is set to 256k [2012-02-10 17:31:28] ni...@php.net GDB Stacktrace: #0 zend_mm_remove_from_free_list (heap=0x88da8d8, mm_block=0xb7fc5308) at /home/nikic/dev/php-src-git/Zend/zend_alloc.c:805 #1 0x083ad608 in _zend_mm_free_int (heap=0x88da8d8, p=0xb7fc52f0) at /home/nikic/dev/php-src-git/Zend/zend_alloc.c:2101 #2 0x083cd657 in destroy_op_array (op_array=0x8a5d4c8, tsrm_ls=0x88d9050) at /home/nikic/dev/php-src-git/Zend/zend_opcode.c:380 #3 0x083cd777 in zend_function_dtor (function=0x8a5d4c8) at /home/nikic/dev/php-src-git/Zend/zend_opcode.c:124 #4 0x083e49ae in zend_hash_apply_deleter (ht=0x88dae70, p=0x8a5d498) at /home/nikic/dev/php-src-git/Zend/zend_hash.c:650 #5 0x083e63b1 in zend_hash_reverse_apply (ht=0x88dae70, apply_func=0x83c7310 , tsrm_ls=0x88d9050) at /home/nikic/dev/php-src-git/Zend/zend_hash.c:804 #6 0x083c7ecb in shutdown_executor (tsrm_ls=0x88d9050) at /home/nikic/dev/php-src-git/Zend/zend_execute_API.c:304 #7 0x083d7c11 in zend_deactivate (tsrm_ls=0x88d9050) at /home/nikic/dev/php-src-git/Zend/zend.c:934 #8 0x0836be33 in php_request_shutdown (dummy=0x0) at /home/nikic/dev/php-src-git/main/main.c:1782 #9 0x0848d723 in do_cli (argc=4, argv=0xb3b4, tsrm_ls=0x88d9050) at /home/nikic/dev/php-src-git/sapi/cli/php_cli.c:1169 #10 0x0806eaa3 in main (argc=4, argv=0xb3b4) at /home/nikic/dev/php-src-git/sapi/cli/php_cli.c:1356 [2012-02-10 17:28:02] ni...@php.net Description: The attached test script triggers a segfault. It happens during the shutdown after the memory limit is reached in the byRef($array) line. Test script: --- https://bugs.php.net/bug.php?id=61046&edit=1
Bug #61046 [Opn]: Segfault when memory limit is hit while copying hash table
Edit report at https://bugs.php.net/bug.php?id=61046&edit=1 ID: 61046 Updated by: jpa...@php.net Reported by:ni...@php.net Summary:Segfault when memory limit is hit while copying hash table Status: Open Type: Bug Package:Reproducible crash PHP Version:5.4.0RC7 Block user comment: N Private report: N New Comment: Notice that I only reproduce with memory_limit set to accurate 512k , not 500k as in bug text, nor even 511k Previous Comments: [2012-02-10 17:34:21] jpa...@php.net What I can say : - I dont reproduce on 5.3.10 - For 5.4, disabling ZendMM with USE_ZEND_ALLOC=0 makes the segfault disappear - For 5.4, changing the ZendMM segment size with ZEND_MM_SEG_SIZE={val} makes the segfault disappear, I havent tested all the possible values for SEG_SIZE. As a reminder, ZendMM default SEG_SIZE is set to 256k [2012-02-10 17:31:28] ni...@php.net GDB Stacktrace: #0 zend_mm_remove_from_free_list (heap=0x88da8d8, mm_block=0xb7fc5308) at /home/nikic/dev/php-src-git/Zend/zend_alloc.c:805 #1 0x083ad608 in _zend_mm_free_int (heap=0x88da8d8, p=0xb7fc52f0) at /home/nikic/dev/php-src-git/Zend/zend_alloc.c:2101 #2 0x083cd657 in destroy_op_array (op_array=0x8a5d4c8, tsrm_ls=0x88d9050) at /home/nikic/dev/php-src-git/Zend/zend_opcode.c:380 #3 0x083cd777 in zend_function_dtor (function=0x8a5d4c8) at /home/nikic/dev/php-src-git/Zend/zend_opcode.c:124 #4 0x083e49ae in zend_hash_apply_deleter (ht=0x88dae70, p=0x8a5d498) at /home/nikic/dev/php-src-git/Zend/zend_hash.c:650 #5 0x083e63b1 in zend_hash_reverse_apply (ht=0x88dae70, apply_func=0x83c7310 , tsrm_ls=0x88d9050) at /home/nikic/dev/php-src-git/Zend/zend_hash.c:804 #6 0x083c7ecb in shutdown_executor (tsrm_ls=0x88d9050) at /home/nikic/dev/php-src-git/Zend/zend_execute_API.c:304 #7 0x083d7c11 in zend_deactivate (tsrm_ls=0x88d9050) at /home/nikic/dev/php-src-git/Zend/zend.c:934 #8 0x0836be33 in php_request_shutdown (dummy=0x0) at /home/nikic/dev/php-src-git/main/main.c:1782 #9 0x0848d723 in do_cli (argc=4, argv=0xb3b4, tsrm_ls=0x88d9050) at /home/nikic/dev/php-src-git/sapi/cli/php_cli.c:1169 #10 0x0806eaa3 in main (argc=4, argv=0xb3b4) at /home/nikic/dev/php-src-git/sapi/cli/php_cli.c:1356 [2012-02-10 17:28:02] ni...@php.net Description: The attached test script triggers a segfault. It happens during the shutdown after the memory limit is reached in the byRef($array) line. Test script: --- https://bugs.php.net/bug.php?id=61046&edit=1
Bug #61046 [Opn]: Segfault when memory limit is hit while copying hash table
Edit report at https://bugs.php.net/bug.php?id=61046&edit=1 ID: 61046 Updated by: jpa...@php.net Reported by:ni...@php.net Summary:Segfault when memory limit is hit while copying hash table Status: Open Type: Bug Package:Reproducible crash PHP Version:5.4.0RC7 Block user comment: N Private report: N New Comment: What I can say : - I dont reproduce on 5.3.10 - For 5.4, disabling ZendMM with USE_ZEND_ALLOC=0 makes the segfault disappear - For 5.4, changing the ZendMM segment size with ZEND_MM_SEG_SIZE={val} makes the segfault disappear, I havent tested all the possible values for SEG_SIZE. As a reminder, ZendMM default SEG_SIZE is set to 256k Previous Comments: [2012-02-10 17:31:28] ni...@php.net GDB Stacktrace: #0 zend_mm_remove_from_free_list (heap=0x88da8d8, mm_block=0xb7fc5308) at /home/nikic/dev/php-src-git/Zend/zend_alloc.c:805 #1 0x083ad608 in _zend_mm_free_int (heap=0x88da8d8, p=0xb7fc52f0) at /home/nikic/dev/php-src-git/Zend/zend_alloc.c:2101 #2 0x083cd657 in destroy_op_array (op_array=0x8a5d4c8, tsrm_ls=0x88d9050) at /home/nikic/dev/php-src-git/Zend/zend_opcode.c:380 #3 0x083cd777 in zend_function_dtor (function=0x8a5d4c8) at /home/nikic/dev/php-src-git/Zend/zend_opcode.c:124 #4 0x083e49ae in zend_hash_apply_deleter (ht=0x88dae70, p=0x8a5d498) at /home/nikic/dev/php-src-git/Zend/zend_hash.c:650 #5 0x083e63b1 in zend_hash_reverse_apply (ht=0x88dae70, apply_func=0x83c7310 , tsrm_ls=0x88d9050) at /home/nikic/dev/php-src-git/Zend/zend_hash.c:804 #6 0x083c7ecb in shutdown_executor (tsrm_ls=0x88d9050) at /home/nikic/dev/php-src-git/Zend/zend_execute_API.c:304 #7 0x083d7c11 in zend_deactivate (tsrm_ls=0x88d9050) at /home/nikic/dev/php-src-git/Zend/zend.c:934 #8 0x0836be33 in php_request_shutdown (dummy=0x0) at /home/nikic/dev/php-src-git/main/main.c:1782 #9 0x0848d723 in do_cli (argc=4, argv=0xb3b4, tsrm_ls=0x88d9050) at /home/nikic/dev/php-src-git/sapi/cli/php_cli.c:1169 #10 0x0806eaa3 in main (argc=4, argv=0xb3b4) at /home/nikic/dev/php-src-git/sapi/cli/php_cli.c:1356 [2012-02-10 17:28:02] ni...@php.net Description: The attached test script triggers a segfault. It happens during the shutdown after the memory limit is reached in the byRef($array) line. Test script: --- https://bugs.php.net/bug.php?id=61046&edit=1